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Abstract The Software Transactional Memory (STM) model is an original approach for 
controlling concurrent accesses to ressources without the need for explicit lock-based 
synchronization mechanisms. A key feature of STM is to provide a way to group se- 
quences of read and write actions inside atomic blocks, similar to database transactions, 
whose whole effect should occur atomically. 

In this paper, we investigate STM from a process algebra perspective and define an ex- 
tension of asynchronous CCS with atomic blocks of actions. Our goal is not only to set 
a formal ground for reasoning on STM implementations but also to understand how this 
model fits with other concurrency control mechanisms. We also view this calculus as a 
test bed for extending process calculi with atomic transactions. This is an interesting di- 
rection for investigation since, for the most part, actual works that mix transactions with 
process calculi consider compensating transactions, a model that lacks all the well-known 
ACID properties. 

We show that the addition of atomic transactions results in a very expressive calculus, 
enough to easily encode other concurrent primitives such as guarded choice and multiset- 
synchronization (a la join-calculus). The correctness of our encodings is proved using 
a suitable notion of bisimulation equivalence. The equivalence is then applied to prove 
interesting "laws of transactions" and to obtain a simple normal form for transactions. 

1 Introduction 

The craft of programming concurrent applications is about mastering the strains between two 
key factors: getting hold of results as quickly as possible, while ensuring that only correct 
results (and behaviors) are observed. To this end, it is vital to avoid unwarranted access to 
shared resources. The Software Transactional Memory (STM) model is an original approach 
for controlling concurrent accesses to resources without using explicit lock-based synchro- 
nization mechanisms. Similarly to database transactions, the STM approach provides a way 
to group sequences of read and write actions inside atomic blocks whose whole effect should 
occur atomically. The STM model has several advantages. Most notably, it dispenses the pro- 
grammer with the need to explicitly manipulate locks, a task widely recognized as difficult 
and error-prone. Moreover, atomic transactions provide a clean conceptual basis for concur- 
rency control, which should ease the verification of concurrent programs. Finally, the model is 
effective: there exist several STM implementations for designing software for multiprocessor 
systems; these applications exhibit good performances in practice (compared to equivalent, 
hand-crafted, code using locks). 

We investigate the STM model from a process algebra perspective and define an extension 
of asynchronous CCS [22] with atomic blocks of actions. We call this calculus AtCCS. The 
choice of a dialect of CCS is motivated by an attention to economy: to focus on STM primitives, 
we study a calculus as simple as possible and dispense with orthogonal issues such as values, 



mobility of names or processes, etc. We believe that our work could be easily transferred to a 
richer setting. Our goal is not only to set a formal ground for reasoning on STM implementa- 
tions but also to understand how this model fits with other concurrency control mechanisms. 
We also view this calculus as a test bed for extending process calculi with atomic transactions. 
This is an interesting direction for investigation since, for the most part, works that mix transac- 
tions with process calculi consider compensating transactions, see e.g. [2,4,6,8,9,1 1,12,13,21]. 

The idea of providing hardware support for software transactions originated from works 
by Herlihy and Moss [20] and was later extended by Shavit and Touitou [25] to software-only 
transactional memory. Transactions are used to protect the execution of an atomic block. Intu- 
itively, each thread that enters a transaction takes a snapshot of the shared memory (the global 
state). The evaluation is optimistic and all actions are performed on a copy of the memory (the 
local state). When the transaction ends, the snapshot is compared with the current state of the 
memory. There are two possible outcomes: if the check indicates that concurrent writes have 
occurred, the transaction aborts and is rescheduled; otherwise, the transaction is committed 
and its effects are propagated instantaneously. Very recently, Harris et al. [19] have proposed a 
(combinator style) language of transactions that enables arbitrary atomic operations to be com- 
posed into larger atomic expressions. We base the syntax of AtCCS on the operators defined 
in [19]. 

The main contributions of this work are: (1) the definition of a process calculus with atomic 
transactions; and (2) the definition of an asynchronous bisimulation equivalence « a that allows 
compositional reasoning on transactions. We also have a number of more specific technical re- 
sults. We show that AtCCS is expressive enough to easily encode interesting concurrent prim- 
itives, such as (preemptive versions of) guarded choice and multiset-synchronization, and the 
leader election problem (Section 3). Next, we define an equivalence between atomic expres- 
sions i2 and prove that w a and i2 are congruences (Section 4). These equivalences are used to 
prove the correctness of our encodings, to prove interesting "behavioral laws of transactions" 
and to define a simple normal form for transactions. We also show that transactions (modulo ^) 
have an algebraic structure close to that of a bound semilattice, an observation that could help 
improve the design of the transaction language. Finally, we propose a may-testing equivalence 
for AtCCS, give an equivalent characterization using a trace-based semantics and show that 
may testing equivalence is unable to notice the presence of transactions (Section 5). Section 6 
concludes with an overview on future and related works. The proofs of the main results are 
reported in the appendices. 

2 The calculus 

We define the syntax and operational semantics of AtCCS, which is essentially a cut down 
version of asynchronous CCS, without choice and relabeling operators, equipped with atomic 
blocks and constructs for composing (transactional) sequences of actions. 

Syntax of Processes and Atomic Expressions. The syntax of AtCCS, given in Table 1, 
is divided into syntactical categories that define a stratification of terms. The definition of 
the calculus depends on a set of names, ranged over by a, b, . . . As in CCS, names model 
communication channels used in process synchronization, but they also occur as objects of 
read and write actions in atomic transactions. 

Atomic expressions, ranged over by M, N, ... , are used to define sequences of actions 
whose effect should happen atomically. Actions rd a and wt a represent attempts to input 
and output to the channel a. Instead of using snapshots of the state for managing transaction, 
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Tablel. Syntax of AtCCS: Processes and Atomic Expressions. 



we use a log-based approach. During the evaluation of an atomic block, actions are recorded 
in a private log 8 (a sequence 0Ci . . . a„) and have no effects outside the scope of the transaction 
until it is committed. The action retry aborts an atomic expression unconditionally and starts 
its execution afresh, with an empty log e. The termination action end signals that an expression 
is finished and should be committed. If the transaction can be committed, all actions in the log 
are performed at the same time and the transaction is closed, otherwise the transaction aborts. 
Finally, transactions can be composed using the operator orElse, which implements (preemp- 
tive) alternatives between expressions. M orElse N behaves as expression N if M aborts and 
has the behavior of M otherwise. 

Processes, ranged over by P,Q,R,..., model concurrent systems of communicating 
agents. We have the usual operators of CCS: the empty process, 0, the parallel composition 
P | Q, and the input prefix a. P. There are some differences though. The calculus is asynchro- 
nous, meaning that a process cannot block on output actions. Also, we use replicated input 
*a .P instead of recursion (this does not change the expressiveness of the calculus) and we 
lack the choice and relabeling operators of CCS. Finally, the main addition is the presence 
of the operator atom(M), which models a transaction that safeguards the expression M. The 
process {|A|}m represents the ongoing evaluation of an atomic block M: the subscript is used to 
keep the initial code of the transaction, in case it is aborted and executed afresh, while A holds 
the remaining actions that should be performed. 

An ongoing atomic block, A,B, is essentially an atomic expression enriched with an 
evaluation state a and a log 8 of the currently recorded actions. A state o is a multiset of names 
that represents the output actions visible to the transaction when it was initiated. (This notion 
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of state bears some resemblance with tuples space in coordination calculi, such as Linda [10].) 
When a transaction ends, the state o recorded in the block (M) a .g (the state at the initiation of 
the transaction) can be compared with the current state (the state when the transaction ends) to 
check if other processes have concurrently made changes to the global state, in which case the 
transaction should be aborted. 

Notation. In the following, we write oW{a} for the multiset o enriched with the name a and 
O \ a' for the multiset obtained from o by removing elements found in a', that is the smallest 
multiset a" such that o C a'Wa". The symbol stands for the empty multiset while {a"} is 
the multiset composed of exactly n copies of a, where {a } = 0. 

Given a log 8, we use the notation WT ( 8) for the multiset of names which appear as objects 
of a write action in 8. Similarly, we use the notation RD(8) for the multiset of names that 
are objects of read actions. The functions WT and RD may be inductively defined as follows: 
WT(wta.S) = WT(8)W{a}; RD(rda.S) = RD(8)l±){a}; WT(rda.S) =RD(wta.8) = WT(8); 
and wt(e) = rd(e) =e. 

Example: Composing Synchronization. Before we describe the meaning of processes, we 
try to convey the semantics of AtCCS (and the usefulness of the atomic block operator) using 
a simple example. We take the example of a concurrent system with two memory cells, M\ and 
M2, used to store integers. We consider here a straightforward extension of the calculus with 
"value-passing 1 ." In this setting, we can model a cell with value v by an output m[\v and model 
an update by a process of the form m,?x.(mj!v' | . . . ). With this encoding, the channel name m, 
acts as a lock protecting the shared resource M, . 

Assume now that the values of the cells should be synchronized to preserve a global in- 
variant on the system. For instance, we model a flying aircraft, each cell store the pitch of an 
aileron and we need to ensure that the aileron stay aligned (that the values of the cells are 
equal). A process testing the validity of the invariant is for example Pi below (we suppose that 
a message on the reserved channel err triggers an alarm). There are multiple design choices 
for resetting the value of both cells to 0, e.g. P2 and P3. 

Pi = mi?x.W2?y.if x\=y then err! 
Pi = W2?x.mi?y. (m\\Q I m2"!0)) P3 = m\lx.(mi\Q | mjly.mi^.O) 

Each choice exemplify a problem with lock-based programming. The composition of Pi 
with P2 leads to a race condition where Pi acquire the lock on Mi, P2 on M2 and each process 
gets stuck. The composition of Pi and P3 may break the invariant (the value of M\ is updated 
too quickly). A solution in the first case is to strengthen the invariant and enforce an order 
for acquiring locks, but this solution is not viable in general and opens the door to priority 
inversion problems. Another solution is to use an additional (master) lock to protect both cells, 
but this approach obfuscate the code and significantly decreases the concurrency of the system. 

Overall, this simple example shows that synchronization constraints do not compose well 
when using locks. This situation is consistently observed (and bears a resemblance to the in- 
heritance anomaly problem found in concurrent object-oriented languages). The approach ad- 
vocated in this paper is to use atomic transactions. In our example, the problem is solved by 
simply wrapping the two operations in a transaction, like in the following process, which en- 

1 Keeping to our attention to economy in the definition of AtCCS, we choose not to consider values in 
the formal syntax, but our results could be easily extended to take them into account. 
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Table2. Operational Semantics: Processes. 



sures that all cell updates are effected atomically. 

atom(rd(m2?}').wt (m 2 !0).rd(mi?x).wt (mi!0)) 

More examples may be found on the paper on composable memory transactions [19], which 
makes a compelling case that "even correctly- implemented concurrency abstractions cannot be 
composed together to form larger abstractions." 

Operational Semantics. Like for the syntax, the semantics of AtCCS is stratified in two 
levels: there is one reduction relation for processes and a second for atomic expressions. With 
a slight abuse of notation, we use the same symbol (— ►) for both relations. 

Reduction for Processes. Table 2 gives the semantics of processes. A reduction is of the form 
P;o — > P' ;g' where a is the state of P. The state o records the names of all output actions 
visible to P when reduction happens. It grows when an output is reduced, (OUT), and shrinks 
in the case of inputs, (IN) and (REP). A parallel composition evolves if one of the component 
evolves or if both can synchronize, rules (parL), (parR) and (COM). In a hiding P\" a, 
the annotation n is an integer denoting the number of outputs on a which are visible to P. 
Intuitively, in a "configuration" P\" a;a, the outputs visible to P are those in a W {«"}. This 
extra annotation is necessary because the scope of a is restricted to P, hence it is not possible 
to have outputs on a in the global state. Rule (HID) allows synchronization on the name a to 
happen inside a hiding. For instance, we have (P \a)\ n a;a^P \ n+ 1 a ; o. 

The remaining reduction rules govern the evolution of atomic transactions. Like in the case 
of (COM), all those rules, but (atOk), leave the global state unchanged. Rule (atSt) deals 
with the initiation of an atomic block atom(M): an ongoing block {] (M) 0;£ |}m is created which 
holds the current evaluation state o and an empty log e. An atomic block §A$ M reduces when 
its expression A reduces, rule (atPass). (The reduction relation for ongoing expression is 
defined by the rules in Table 3.) Rules (atRe), (atFail) and (atOk) deal with the completion 
of a transaction. After a finite number of transitions, the evaluation of an ongoing expression 
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will necessarily result in a fail state, (retry) 0; g, or a success, (end) a; g. In the first case, rule 
(atRe), the transaction is aborted and started again from scratch. In the second case, we need 
to check if the log is consistent with the current evaluation state. A log is consistent if the 
read actions of 8 can be performed on the current state. If the check fails, rule (atFail), the 
transaction aborts. Otherwise, rule (atOk), we commit the transaction: the names in RD(8) 
are taken from the current state and a bunch of outputs on the names in WT ( 8) are generated. 

Reduction for Ongoing Expressions. Table 3 gives the semantics of ongoing atomic expres- 
sions. We recall that, in an expression (rda .M) a;8 , the subscript a is the initial state, that is a 
copy of the state at the time the block has been created and 8 is the log of actions performed 
since the initiation of the transaction. 

Rule (ARdOk) states that a read action rda is recorded in the log 8 if all the read actions 
in 8. rda can be performed in the initial state. If it is not the case, the ongoing expression fails, 
rule (ARdF). This test may be interpreted as a kind of optimization: if a transaction cannot 
commit in the initial state then, should it commit at the end of the atomic block, it would mean 
that the global state has been concurrently modified during the execution of the transaction. 
Note that we consider the initial state o and not o ttl WT (8), which means that, in an atomic 
block, write actions are not directly visible (they cannot be consumed by a read action). This is 
coherent with the fact that outputs on WT ( 8) only take place after commit of the block. Rule 
(AWr) states that a write action always succeeds and is recorded in the current log. 

The remaining rules govern the semantics of the retry, end and orElse constructs. These 
constructs are borrowed from the STM combinators used in the implementation of an STM sys- 
tem in Concurrent Haskell [19]. We define these operators with an equivalent semantics, with 
the difference that, in our case, a state is not a snapshot of the (shared) memory but a multiset 
of visible outputs. A composition M orElse N corresponds to the interleaving of the behaviors 
of M and N, which are independently evaluated with respect to the same evaluation state (but 
have distinct logs). The orElse operator is preemptive: the ongoing block M orElse N ends 
if and only M ends or M aborts and N ends. 

3 Encoding Concurrency Primitives 

Our first example is a simple solution to the celebrated leader election problem that does not 
yield to deadlock and ensures that, at each round, a leader is elected. 
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Consider a system composed by n processes and a token, named t, that is modeled by an 
output t. A process becomes a leader by getting (making an input on) t . As usual, all partic- 
ipants run the same process (except for the value of their identity). We suppose that there is 
only one copy of the token in the system and that leadership of process i is communicated to 
the other processes by outputting on a reserved name vw'n,. A participant that is not a leader 
output on loosei. The protocol followed by the participants is defined by the following process: 

Li = (atom(rdf .wt fc. end orElse wtfc' .end) | k.(wirii \ t) \ k' .loosed) \° k\° k' 

In this encoding, the atomic block is used to protect the concurrent accesses to t. If the 
process L,- commits its transaction and inputs (grabs) the token, it immediately release an output 
on its private channel k. The transactions of the other participants may either fail or commit 
while releasing an output on their private channel k' . Then, the elected process L, may proceed 
with a synchronization on k that triggers the output witii and release the lock. The semantics 
of atom( ) ensures that only one transaction can acquire the lock and commit the atomic block, 
then no other process have acquired the token in the same round and we are guaranteed that 
there could be at most one leader. 

This expressivity result is mixed blessing. Indeed, it means that any implementation of the 
atomic operator should be able to solve the leader election problem, which is known to be very 
expensive in the case of loosely-coupled systems or in presence of failures (see e.g. [24] for 
a discussion on the expressivity of process calculi and electoral systems). On the other hand, 
atomic transactions are optimistic and are compatible with the use of probabilistic approaches. 
Therefore it is still reasonable to expect a practical implementation of AtCCS. 

In the following, we show how to encode two fundamental concurrency patterns, namely 
(preemptive versions of) the choice and join-pattern operators. 

Guarded choice. We consider an operator for choice, n\.P\ H h /J„.P n , such that every 

process is prefixed by an action /j, that is either an output a, or an input a,. The semantics 
of choice is characterized by the following three reduction rules (we assume that Q is also a 
choice): 



A minor difference with the behavior of the choice operator found in CCS is that our 
semantics gives precedence to the leftmost process (this is reminiscent of the preemptive be- 
havior of orElse). Another characteristic is related to the asynchronous nature of the calculus, 
see rule (c-OUT): since an output action can always interact with the environment, a choice 
a.P + Q may react at once and release the process a | P. 

Like in the example of the leader election problem, we can encode a choice fi\.P\ H h 

Hn-Pn using an atomic block that will mediate the interaction with the actions /ji,... We 
start by defining a straightforward encoding of input/output actions into atomic actions: [[a]] = 
wt a and [[a]] —rda. Then the encoding of choice is the process 



[fr/i.Pi + ---+H n .P n \ = (atom^J.pifl.end orElse ••• orElse [Lu„]]. [[£„]]. end) 

| MPiJ I ■■■\k n \p n \)\H l ...\H n 



(C-inp) a.P + Q;c&{a}-^P;o 



(C-OUT) a.P + Q;a -^P;oi+){a} 



(C-PASS) 
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The principle of the encoding is essentially the same that in our solution to the leader 
election problem. Actually, using the encoding for choice, we can rewrite our solution in the 
following form: L, = t .(wirii \ 1) + looset.O . Using the rules in Table 2, it is easy to see that our 
encoding of choice is compatible with rule (C-INP), meaning that: 

[[a.P+e]];oW{fl}^* (fl(end) 

<TW{a};rda.wt&i |}m 

IMP] I ■■■)\°k l \...;oV{a} 

- (*T|* 1 .[[P]]|...)\ *i\...;a 
-+ ([[P]]|...)\%\...;a 

where the processes in parallel with [[P]] are harmless. In the next section, we define a weak 
bisimulation equivalence m a that can be used to garbage collect harmless processes in the 
sense that, e.g. (P | k.Q) \° k « a P if P has no occurrences of k. Hence, we could prove that 
[[a.P + 2]] ; a W {a} ^>*~ a [[P]] ; a, which is enough to show that our encoding is correct with 
respect to rule (C-INP). The same is true ferrules (c-OUT) and (c-PASS). 

Join Patterns. A multi-synchronization (a\ x • • • x a n ).P may be viewed as an extension of 
input prefix in which communication requires a synchronization with the n outputs aj, . . . 
at once, that is, we have the reduction: 

(j-inp) (a\ x ••• xa„).P;ott){fli,. ..,«„} — > P;a 

This synchronization primitive is fundamental to the definition of the Gamma calculus of 
Banatre and Le Metayer and of the Join calculus of Fournet and Gonthier. It is easy to see that 
the encoding of a multi-synchronization (input) is a simple transaction: 

[[(«! x ••• xa„).P]] = (atom([[ai]].--- .[[«„]]. [[£]]. end) | k.J[Pf)\ k (where k is fresh) 

and that we have [[(«! x ••• xa„).P]];aW{ai,. ..,«„} (0 | [[P]]) \°k;a, where the process 
(0 | [[P]]) \°k is behaviorally equivalent to [[P]], that is: 

[(fli x-Xfl„).P];oW{fli,...,a„} [[P]];o 

Based on this encoding, we can define two interesting derived operators: a mixed version of 
multi-synchronization, (/ji x • • • x /j«).P, that mixes input and output actions; and a replicated 
version, that is analogous to replicated input. 

[[(/i! x • • • x p n ).Pi ^ (atom([H]. • • • ■ W-Pl-end) | k.[[P}}) \°k 
I*( A iiX--.x / i„).P]] ^ (r |*r.atom([tu 1 ]].....[tu„]].[[r]].p]].end) | *fc.[P]) \°r\°* 

By looking at the possible reductions of these (derived) operators, we can define derived 
reduction rules. Assume 8 is the log [[/j i ]] - - • • -[t"n]], we have a simulation result comparable to 
the case for multi-synchronization, namely: 

[[(a/! x---x A /„).P]];oWrd(8) [[P]];oWwt(8) 
I*( Ail x---x A i„).P]];aWRD(8) [*( w x-x/,„).P] | [[P]] ; a W wt ( 8) 

To obtain join-definitions, we only need to combine a sequence of replicated multi- 
synchronizations using the choice composition defined precedently. (We also need hiding to 
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close the scope of the definition.) Actually, we can encode even more flexible constructs mix- 
ing choice and join-patterns. For the sake of simplicity, we only study examples of such oper- 
ations. The first example is the (linear) join-pattern (a xb).PA(ax c).Q, that may fire P if the 
outputs {a,b} are in the global state o and otherwise fire Q if {a,c} is in o (actually, real im- 
plementations of join-calculus have a preemptive semantics for pattern synchronization). The 
second example is the derived operator (axb) + (bxc x a).P, such that P is fired if outputs 
on {a,b} are available or if outputs on {b,c} are available (in which case an output on a is also 
generated). These examples can be easily interpreted using atomic transactions: 

[[{axb).PA(axc).Q}} = (atom( [[a]}. [[b]}. pi]]. end orElse 

H.[[ C ]].[[fe 2 ]].end) | h.P | k 2 .Q)\ k 1 \ k 2 

[[(axb + bxcxa) .P] = (atom( [[a]] . p>] . p]] .end orElse 

MMMUkUnd) | k.P)\°k 

In the next section we define the notion of bisimulation used for reasoning on the soundness 
of our encodings. We also define an equivalence relation for atomic expressions that is useful 
for reasoning on the behavior of atomic blocks. 

4 Bisimulation Semantics 

A first phase before obtaining a bisimulation equivalence is to define a Labeled Transition 
System (LTS) for AtCCS processes related to the reduction semantics. 

Labeled Semantics of AtCCS. It is easy to derive labels from the reduction semantics given 
in Table 2. For instance, a reduction of the form Pja — > P' ;o 1+1 {a} is clearly an output transi- 
tion and we could denote it using the transition P-^P', meaning that the effect of the transition 
is to add a message on a to the global state o. We formalize the notion of label and transition. 
Besides output actions a, which corresponds to an application of rule (OUT), we also need 
block actions, which are multiset {a\, . . . ,a n } corresponding to the commit of an atomic block, 
that is to the deletion of a bunch of names from the global state in rule (atOk). Block actions 
include the usual labels found in LTS for CCS and are used for labeling input and communi- 
cation transitions: an input actions a, which intuitively corresponds to rules (IN) and (REP), 
is a shorthand for the (singleton) block action {a}; the silent action x, which corresponds to 
rule (COM), is a shorthand for the empty block action 0. In the following, we use the symbols 
0,y, ... to range over block actions and /j, //, .. . to range over labels, /j ::= a | 8 | x | a. 

The labeled semantics for AtCCS is the smallest relation pAp' satisfying the two follow- 
ing clauses: 

1 . we have P Ap' if there is a state G such that P ; o — *■ P' ; o W {a}; 

2. we have P-^P' if there is a state o such that P ; o l±l 9 —> P' ; o. 

Note that, in the case of the (derived) action x, we obtain from clause 2 that P^P' if there 
is a state o such that P;a ^ P' ;o. As usual, silent actions label transitions that do not modify 
the environment (in our case the global state) and so are invisible to an outside observer. Unlike 
CCS, the calculus has more examples of silent transition than mere internal synchronization, 
e.g. the initiation and evolution of an atomic block, see e.g. rules (atST) and (atPass). Con- 
sequently, a suitable (weak) equivalence for AtCCS should not distinguish e.g. the processes 
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atom(retry), atom(end), (a.a) and 0. The same is true with input transitions. For instance, 
we expect to equate the processes a.O and atom(rda .end). 

Our labeled semantics for AtCCS is not based on a set of transition rules, as it is usually the 
case. Nonetheless, we can recover an axiomatic presentation of the semantics using the tight 
correspondence between labeled transitions and reductions characterized by Proposition 1 . 

Proposition 1. Consider two processes P and Q. The following implications are true: 

(COM) ifP-^P' andQ^Q' then P \ Q^P' \ Q' ; 

(PAR) ifP-^P' then P | Q Ap' \QandQ\ P^Q \ P'; 

(HID) ifP-^P' and the name a does not appear in n then P \" a—>P' \" a; 

(HIDOUT) ZfPAp' then P\ n a^P' \ n+l a; 

(HIDAT) ifP-^P' and /J = 8 W {«'"}, where a is a name that does not appear in the label 8, 
thenP\ n+m a^P'\ n a. 

Proof. In each case, we have a transition of the form pAp'. By definition, there are states o 
and a' such that P ; a — > P' ; o' . The property is obtained by a simple induction on this reduction 
(a case analysis on the last reduction rule is enough). □ 

We define additional transition relations used in the remainder of the paper. As usual, we 
denote by =>■ the weak transition relation, that is the reflexive and transitive closure of — ». We 
denote by A the relation =>■ — ► =>. If s is a sequence of labels /jq . . .p n , we denote —> the 
relation such that P Ap' if and only if there is a process Q such that P Ag and Q '"' "> P' (and 
A is the identity relation when s is the empty sequence e). We also define a weak version A 
of this relation in the same way. Lastly, we denote -A the relation A ... A, the composition 
of n copies of A. 

Asynchronous Bisimulation for Processes and Expressions. Equipped with a labeled tran- 
sition system, we can define the traditional (weak) bisimulation equivalence w between pro- 
cesses. This is the largest equivalence 11 such that if P%.Q and pAp' then QA-Q' and P'JtQ'. 
Weak bisimulation can be used to prove interesting equivalences between processes. For in- 
stance, we can prove that (P \ a) \ n a w p\ n+l a . Nonetheless, a series of equivalence laws are 
not valid for w. For instance, atom(rda .end) ^ a.O, meaning that, whereas there are no con- 
text that separates the two processes, it is possible to test the presence of an atomic block. Also, 
the usual asynchronous law is not valid: a.a 76 0. To overcome these limitations, we define a 
weak asynchronous bisimulation relation, denoted « fl , in the style of [1]. 

Definition 1 (weak asynchronous bisimulation). A symmetric relation is a weak asyn- 
chronous bisimulation if whenever PH^Q then the following holds: 

1. ifP-^P' then there is Q' such that Q^-Q' and P'llQ'; 

2. if P — >P' then there is a process Q' and a block action J such that Q=>Q' and (P 1 \ 

flG(9\y) a J- 

We denote with K a the largest weak asynchronous bisimulation. 

Assume P ~ a Q and P— >P', the (derived) case for silent action entails that there is Q' and 
8 such that Q^Q' and P' | Y\ aeQ a w a Q'. If 8 is the silent action, 8 = {}, we recover the 
usual condition for bisimulation, that is 2=^6' an d P' ~a Q' ■ If 8 is an input action, 8 = {a}, 
we recover the definition of asynchronous bisimulation of [1]. Due to the presence of block 
actions y, the definition of w a is slightly more complicated than in [1], but it is also more 
compact (we only have two cases) and more symmetric. Hence, we expect to be able to reuse 
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known methods and tools for proving the equivalence of AtCCS processes. Another indication 
that w fl is a good choice for reasoning about processes is that it is a congruence. The proof is 
reported in Appendix A. 

Theorem 1. Weak asynchronous bisimulation w a is a congruence. 

We need to define a specific equivalence relation to reason on transactions. Indeed, 
the obvious choice that equates two expressions M and N if atom(M) w a atom(iV) does 
not lead to a congruence. For instance, we have (rda .wt a .end) equivalent to end while 
atom(rda.wtfl.end orElse wtfe.end) 9^ atom(end orElse wtb.end) . The first transac- 
tion may output a message on b while the second always end silently. 

We define an equivalence relation between atomic expressions i2, and a weak atomic pre- 
order □, that relates two expressions if they end (or abort) for the same states. We also ask 
that equivalent expressions should perform the same changes on the global state when they 
end. We say that two logs 8,8' have same effects, denoted 8 = 8' if o\rd(8) t±)WT (8) = 
O \ RD(S') W WT (8'). We say that M Zl N if and only if either (1) (N) G - £ =>• (retry) o5 ; 
or (2) (A f ) ( j;e => (end) g and (M) 0;£ => (end) c; g/. Similarly, we have M ^ a N if and only 
if either (1) (Af) 0;e => (retry) CT)5 and (N) c;£ (retry) 0>y ; or (2) (Af) 0;e => (end) 0;8 and 
(A0a;e => (end) oS , with 8 = c 8'. 

Definition 2 (weak atomic equivalence). Two atomic expressions M,N are equivalent, de- 
noted M ±2 N, if and only ifM i2 c N for every state O. Similarly, we have MZ\N if and only if 
M^ G N for every state G. 

While the definition of □ and i2 depend on a universal quantification over states, testing the 
equivalence of two expressions is not expensive. First, we can rely on a monotonicity property 
of reduction: if o C o' then for all M the effect of (M) G g is included in those of (M) c r §. 
Moreover, we define a normal form for expressions later in this section (see Proposition 2) 
that greatly simplifies the comparison of expressions. Another indication that ^ is a good 
choice of equivalence for atomic expressions is that it is a congruence. The proof is reported 
in Appendix A. 

Theorem 2. Weak atomic equivalence m is a congruence. 

Dining Philosopher. In this example we give yet another solution to the well-known dining 
philosopher problem. We use atomic blocks of actions in the implementation of the system and 
we show that the obtained process behaves as its specification, without using backtracking and 
without falling into situations of deadlock. Suppose to have four philosophers, / = {0, 1 , 2, 3} 
is the considered set of indexes. In what follows we write + for the sum modulo 4. Suppose 
t is a set of indexes corresponding to thinking philosophers, which are ready to eat; and e 
corresponds to eating philosophers, which are ready to think. P t;e is the specification of the 
system, with tUe — I, f n e = and there isn't ;' G / such that ;', ;' + 1 Ge. 

Pf,e = Y,igt ti-PtUi;e-i 

+ E{/=0,1 if e=%\ 1-(ei.P t -i;i + e,-+2.Pf-(;+2);((+2)) 
+ H{iet | i-l,i+lge,i+2ee} T - e i -Pt-i;eUi 

The system specification will never fall into deadlocks and there can be at most two eating 
philosophers (with indexes i and i + 2). The actions of eating and thinking of the philosopher 
i, ei and f,-, can be observed as inputs. 
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A philosopher D,-, for ; 6 /, can be implemented as follows: 

Di = atom(rdc,_i .rdc,- .end), e,- . f; .(c^T| cj). 

Process D, attempts to get the chopsticks, on his right and left, by using an atomic block for 
reading c,_i and c,. If the commit of the atomic block can not be performed then at least one 
of its neighbors, D,-_i or D,-+i is already eating, because at least one of the chopsticks is not 
available, thus D, will retry to get both chopsticks. Otherwise he can eat, thus he will acquire 
the chopsticks and eat by inputting e,. After eating, he can decide to start thinking, thus he 
reads f„ and after that he releases both chopsticks. 

The global system is given by the parallel composition of the philosopher D, and the output 
of the four chopsticks, which are hidden to observers 

D = (A)|L>i \D 2 \D 3 | co | Q | C2 |cj) \° c ,ci,c 2 ,c 3 . 

In what follows we show that Pjjd « fl D holds. Before we need to define a useful abbrevia- 
tion. Suppose A, B, C,D,EC {0, 1,2, 3}, are sets of indexes such thatAUBUC = {0, 1,2, 3}, 
AnB=AnC = BnC = 0andDU£C {0, 1, 2, 3} withDOE = 0. We define D{A;B;C;D;E} 
as follows: 

D{A;B;C;D;E} 4 (JT^eA} A | H{ieB} e i- U -(c/-f | cj) 
I U{i€C}ti-(crT\ci) 

That is a system where the philosophers in A are in the initial state; philosophers in B are ready 
to eat (they have already acquired the chopsticks); philosophers in C are ready to think (they 
have already eaten); indexes in D correspond to available chopsticks not yet outputted; indexes 
in E correspond to chopsticks outputted, thus chopsticks that can be taken by some philosopher 
for eating. 

In the following <£ (S) represents the powerset of S. Pjfi'J{_D where the weak asynchronous 
bisimulation Si is defined as follows: 

si = {(Pi- fi ,D{I;d;d;I\S;S})\S 6f(/)} 

U { (Pi-ij,D{I - i; 0; {i}; {i + 1, i + 2} \ S;S}) \ S € <P {{i + 1, i + 2})} 

U { (Pi-i- h D{{i - 1, i + 1}; {i + 2}; {/}; 0; 0}) } 

U {(P {i -i, <+ i } ; {i ,, +2 },I){{i-l,i + l};8;{i,i + 2};0;0})} 

U { + e /+ 2.P/-( /+ 2);(<+2)),fl{{» - 1 , f + 1}; {< + 2, /}; 0; 0; 0}) | i = 0, 1 } 

U {((e«.Pr- !;i + e i+ 2.P/-(i+2);(i+2)),0{{j - 1 , /, / + 1 }; {i + 2};0; {i - 1, i} \ S;S}) 

\se*{{i-i,i}),i = o,i} 

U {((ei-Pi-i-i + e i+2 .P,_ {i+2) , {i+2) ),D{{i - l,i + l,i + 2}; {/};0; {/ + 1 , i + 2} \ 5;5}) 
|S€!P({i + l,i + 2}),i = 0,l}. 

On the Algebraic Structure of Transactions. The equivalence relations ^ and w a can be 

used to prove interesting laws of atomic expressions and processes. We list some of these laws 
in Table 4. Appropriate bisimulation relations which prove laws in Table 4 are reported in 
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Laws for atomic expressions: 




(COMM) 


a.p.M 


±= p.a.M 


(DIST) 


a.(M orElse A') 


±2 (a.M) orElse (a.iV) 


(ASS) Mi orElse (M 2 orElse M 3 ) 


±2 (Mi orElse M2) orElse M3 


(IDEM) 


M orElse M 


- M 


(absRtI) 


a. retry 


±2 retry 


(ABSRT2) 


retry orElse M 


±2 M ±; M orElse retry 


(absEnd) 


end orElse M 


±2 end 


Laws for processes: 






(asy) 


a. a 


~a 


(A-ASY) 


atom(rda .wt a .end) 


~a 


(A-l) 


atom(rda.end) 


s» fl a.O 



Table4. Algebraic Laws of Transactions. 



Appendix B. Let fM denotes the set of all atomic expressions. The behavioral rules for atomic 
expressions are particularly interesting since they exhibit a rich algebraic structure for fW . For 
instance, rules (COMM) and (DIST) state that action prefix a.M is a commutative operation that 
distribute over orElse. We also have that (M , orElse, retry) is an idempotent semigroup 
with left identity retry, rules (ASS), (ABSRT2) and (IDEM), and that end annihilates fM , rule 
(absEnd). Most of these laws appear in [19] but are not formally proved. 

Actually, we can show that the structure of M is close to that of a bound join-semilattice. 
We assume unary function symbols a() and a() for every name a (a term a(M) is intended 
to represent a prefix wt a M) and use the symbols U, 1, instead of orElse, end, retry. With 
this presentation, the behavioral laws for atomic expression are almost those of a semilattice. 
By definition of □, we have that MUM' ^ M if and only if MUM' and for all M,N we have 
1 UMUNUMU 0. 

/j(/j'(M)) - /j'(/j(M)) fi(MUN) - /j(M)U/j(N) fi(0) - 
OUM i2 M ^ MUO 1UM ^ 1 

It is possible to prove other behavioral laws to support our interpretation of orElse has a 
join. However some important properties are missing, most notably, while U is associative, it 
is not commutative. For instance, a(b(l)) U 1 ^ 1 while 1 ^ lUa(fc(l)), rule (absEnd). This 
observation could help improve the design of the transaction language: it will be interesting to 
enrich the language so that we obtain a real lattice. 

Normal Form for Transactions. Next, we show that it is possible to rearrange an atomic 
expression (using behavioral laws) to put it into a simple normal form. This procedure can be 
understood as a kind of compilation that transform an expression M into a simpler form. 

Informally, an atomic expression M is said to be in normal form if it does not contain 
nested orElse (all occurrences are at top level) and if there are no redundant branches. A re- 
dundant branch is a sequence of actions that will never be executed. For instance, the read 
actions in rda.end are included in rda.rdb.end, then the second branch in the compo- 
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sition (rda.end) orElse (rda.rdb.end) is redundant: obviously, if rda.end fails then 
rda .zdb .end cannot succeed. We overload the functions defined on logs and write RD(M) for 
the (multiset of) names occurring in read actions in M. We define WT (M) similarly. In what 
follows, we abbreviate {M\ orElse . . . orElseM„) with the expression Uiei. .n-^i- We say that 
an expression M is in normal form if it is of the form |J (€ [ „ Ki where for all indexes i,j G 1 . .n 

we have: (1) K t is a sequence of action prefixes OCy, a 7 „..end; and (2) RD(Kj) <£. RD(^) 

for all i < j. Condition (1) requires the absence of nested orElse and condition (2) prohibits 
redundant branches (it also means that all branches, but the last one, has a read action). The 
following proposition is proved in Appendix C. 

Proposition 2. For every expression M there is a normal form M' such that M M 1 . 

Our choice of using bisimulation for reasoning about atomic transactions may appear arbi- 
trary. We have already debated over the need to consider asynchronous bisimulation « a instead 
of (the simple) bisimulation w. In the next section, we study a testing equivalence for AtCCS, 
more particularly an asynchronous may testing semantics [17]. 



5 May-testing semantics 

Using a testing equivalence instead of bisimulation is sometimes more convenient. Nonethe- 
less, testing equivalences have the drawback that their definition depends on a universal quan- 
tification over arbitrarily many processes. We define a may-testing equivalence for AtCCS 
and give an alternative characterization using a trace-based equivalence. We also expose some 
shortcomings of may testing related to the (folklore) fact that it cannot distinguish the points 
of choice in a process. Actually, we define for every atomic block atom(M) a corresponding 
process without transactions (but using choice) that is indistinguishable from atom(M). The 
results enunciated in this section are proved in Appendix D. 

We define the notion of observers and successful computations. An observer O is a particu- 
lar type of process which does not contain atomic blocks and that can perform a distinct output 
w (the success action). We denote Obs the set of all observers. A computation from a process P 
and an observer O is a sequence of transitions of the form P \ O = Po | Go—* • • ■ ~^Pk I Ok~^ 
which is either infinite or of finite size, say n, such that P n \ 0„ cannot evolve. A computation 
from P | O is successful if there is an index n such that O n has a success action, that is O n — >. 
In this case, we say that P may O. Two processes are may testing equivalent if they have the 
same successful observers. 

Definition 3 (may-testing preorder). Given two processes P and Q, we write P £ Q if 
for every observer O in Obs we have P may O implies Q may O. We use ~ mU y to denote the 
equivalence obtained as the kernel of the preorder £ 

Universal quantification on observers make it difficult to work with the operational def- 
inition of the may preorder. Following [7], we study a trace-based characterization for our 
calculus. The following preorder over traces will be used for defining the alternative character- 
ization of the may-testing preorder. 

In our setting, a trace s is a sequence of actions p\...p n . (We only consider output and 
block actions and leave aside x and input actions, which are derivable). We define a preorder 
^0 on traces as the smallest relation that satisfies the following laws. 

(TO\)sis 2 <0 si{a}s 2 (T02) s l s 2 {a}s3 ^ ^i{fl}^2^3 

(T03)sis 2 si{a}as 2 (T04) {a\, . . . ,a„} ohdiO {«i}. ..{«„} 
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Following the terminology of [7], (TOl), (T02) and (T03) are the laws for deletion, 
postponement and annihilation of input action. We add rule (T04) which allows to substitute 
block actions with the corresponding sequences of inputs. The simulation relation -< is the 
reflexive and transitive closure of The preorder < is preserved by prefixing. We can now 
define a preorder over processes. 

Definition 4 (alternative preorder). For processes P and Q, we set P <C„ M ^ Q if far all weak 
transition P^P' there is a trace s' and a process Q' such that s' ^ s and Q=^Q'- 

We now prove coincidence of <^. may and £ . Some definitions and preliminary results 
are needed. For every label /j we define the complement /7 such that: the complement of an 
output action a is a block action {a} and the complement of a block action {a\,.. . ,a n } is a 
trace a\...a n . For every trace s=fi\.. .p„, the cotrace s —Ji 1 . . ./7„ is obtained by concatenating 
the complements of the actions in s. The following lemma relates the preorder ^ with the 
operational semantics of processes. 

- -/ 
Lemma 1. Assume that s' ^ s and P=$>P', then there is a process P" such that P=>P". 

The next step is to define a special class of observers. For every trace s, we inductively 
define an observer O (s) e Obs as follows: 

0(e) =w, 0(as) =a.0(s), o({ai,...,a n }s)=(Y[a})\o(s) 

i£l..n 

The following property shows that the sequence of visible actions from (s) is related to 
traces simulated by s. 

Lemma 2. Consider two traces s and r. If there is a process Q such that o(s)^^Q then 
r ■< s. 

We can now prove a full abstraction theorem between may testing £ and the alternative 
preorder < mfly . 

Theorem 3. For all processes P and Q, we have P K, may Q if and only ifP <^ ma y Q- 

Next, we show that may-testing semantics is not precise enough to tell apart atomic trans- 
actions from sequences of input actions. We consider an atomic expression M in normal form. 
Assume M = U;ei.. n -^;> tne following lemma state that the observing behavior of M is ob- 
tained by considering, for every branch Kf, a transition labeled by the block action containing 
RD(Ki) followed by output transitions on the names in WT (A",). 

Lemma 3. Assume M = \_\ie\..n^i ™ an expression in normal form. For every index i in 
{l,...,n} we have atom(M) ;0; {](end) . ; 8|} M ;a i ' where a,- = RD(A,) = RD(8) and 
WT(5) = WT(Ki). 

As a corollary of Lemma 3, we obtain that the possible behavior of atom(M) can be de- 
scribed as atom(M)^rjfcGWT(A:,) b for every i e l..n, where a, is the multiset RD [Ki ) . 

We now prove that for every atomic transaction atom(M) there is a CCS process [[M]] that 
is may-testing equivalent to M. By CCS process, we intend a term of AtCCS without atomic 
transaction that may include occurrences of the choice operator P + Q. By Proposition 2, we 
can assume that M is in normal form, that is M = U iG i..n^i - The interpretation of a sequence of 
actions K = a\ a„.end is the process [[K]\ = a\. ■ ■ ■ .ak-{b\ \ ■ ■ ■ \ b{) where {a\, . . . ,a^} = 
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RD(K) and {b\,. . .,b/} = WT (K). (In particular we have [[end]] = 0.) The translated of M, 

denoted [[M]], is the process pTi]] H h l_K„}]. The following theorem proves that may-testing 

semantics is not able to distinguish the behavior of an atomic process from the behavior of its 
translation, which means that may-testing is blind to the presence of transactions. 

Proposition 3. For every expression M in normal form we have atom(M)~„ MJ [[M]]. 

We observe that a process [[M]] is a choice between processes of the form a.P or (O/e/ ^7) • 
Therefore, using internal choice and a slightly more convoluted encoding, it is possible to use 
only input guarded choice a.P + b.Q in place of full choice in the definition of [[M]] . 

6 Future and Related Works 

There is a long history of works that try to formalize the notions of transactions and atomicity, 
and a variety of approaches to tackle this problem. We review some of these works that are the 
most related to ours. 

We can list several works that combine ACID transactions with process calculi. Gorrieri et 
al [18] have modeled concurrent systems with atomic behaviors using an extension of CCS. 
They use a two-level transition systems (a high and a low level) where high actions are de- 
composed into atomic sequences of low actions. To enforce isolation, atomic sequences must 
go into a special invisible state during all their execution. Contrary to our model, this work 
does not follow an optimistic approach: sequences are executed sequentially, without inter- 
leaving with other actions, as though in a critical section. Another related calculus is RCCS, 
a reversible version of CCS [15,16] based on an earlier notion of process calculus with back- 
tracking [3]. In RCCS,each process has access to a log of its synchronization's history and may 
always wind back to a previous state. This calculus guarantees the ACD properties of trans- 
actions (isolation is meaningless since RCCS do not use a shared memory model). Finally, a 
framework for specifying the semantics of transactions in an object calculus is given in [26]. 
The framework is parametrized by the definition of a transactional mechanism and allows the 
study of multiple models, such as e.g. the usual lock-based approach. In this work, STM is 
close to a model called versioning semantics. Like in our approach, this model is based on the 
use of logs and is characterized by an optimistic approach where log consistency is checked at 
commit time. Fewer works consider behavioral equivalences for transactions. A foundational 
work is [5], that gives a theory of transactions specifying atomicity, isolation and durability in 
the form of an equivalence relation on processes, but it provides no formal proof system. 

Linked to the upsurge of works on Web Services (and on long running Web transactions), 
a larger body of works is concerned with formalizing compensating transactions. In this con- 
text, each transactive block of actions is associated with a compensation (code) that has to be 
run if a failure is detected. The purpose of compensation is to undo most of the visible actions 
that have been performed and, in this case, atomicity, isolation and durability are obviously 
violated. We give a brief survey of works that formalize compensable processes using process 
calculi. These works are of two types: (1) interaction based compensation [6,8,21], which are 
extensions of process calculi (like K or join-calculus) for describing transactional choreogra- 
phies where composition take place dynamically and where each service describes its possible 
interactions and compensations; (2) compensable flow composition [9,1 1,12,13], where ad hoc 
process algebras are designed from scratch to describe the possible flow of control among ser- 
vices. These calculi are oriented towards the orchestration of services and service failures. This 
second approach is also followed in [2,4] where two frameworks for composing transactional 
services are presented. 
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The study of AtCCS is motivated by our objective to better understand the semantics of the 
STM model. Obtaining a suitable behavioral equivalence for atomic expression is a progress 
for the verification of concurrent applications that use STM. However, we can imagine using 
our calculus for other purposes. An interesting problem is to develop an approach merging 
atomic and compensating transactions. A first step in this direction is to enrich our language 
and allow the parallel composition of atomic expressions and the nesting of transactions. We 
are currently working on this problem. Another area for research stems from our observation 
(see Section 4) that the algebraic structure of atomic expressions is lacking interesting property. 
Indeed, it will be interesting to enrich the language of expressions in order to obtain a real 
lattice. The addition of a symmetric choice operator for atomic expressions may be a solution, 
but it could introduce unwanted nondeterminism in the evaluation of transactions. 
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A Proofs of Section 4 



Before proving the validity of Theorem 1 and Theorem 2, it is necessary to present some 
preliminary results. 

The following proposition reminds an important property of asynchronous calculi: no be- 
havior causally depends on the execution of output actions. Relation ~ stands for the usual 
strong bisimulation relation (see e.g. [23]). 

Proposition Al P Ap' implies P ~ P' \ a. 

Proof. By observing that outputs are non-blocking actions, a suitable strong bisimulation can 
be defined. □ 

As direct consequences of the previous proposition, we get the results enunciated in the fol- 
lowing lemma: (1) output actions can always be delayed and (2) a diamond property involving 
outputs. 

Lemma Al Let pbe a generic action (/a ::= b | 8 1 1): 

1. pAAp' implies PAV ; similarly PAAp' implies PAAp'; 

2. pAp' and PAP" imply that there is a P'" such that P'Ap'" andf'Ap'"; similarly 
PAP' and PAP" imply that there is a P'" such that P'Ap'" and P"Ap"'. 

Proof. By Proposition Al. □ 

The following propositions enunciate two relevant properties of the hiding operator. 

Proposition A2 (P \a)\ n b « fl (P\ n b\ a) if a ^ b. 

Proof. By Proposition 1 (HID), and definition of A. □ 
Proposition A3 (P\a)\ n a w a P\" +l a. 

Proof. It is enough to note that (P\a) \ n aAp\ n+l a, Proposition 1 (hidAt). □ 

In the following propositions we prove that « fl and ±2 are closed under contexts; as a 
consequence we obtain that both are congruences. 

Proposition A4 P ~ a Q implies Va : a.P w a a.Q. 

Proof. It is enough to show that the relation 'J{_ =~ a U{(a.P,a.Q)} is a weak asynchronous 
bisimulation. □ 

Proposition A5 P~ a Q implies Va : * a .P « a * a .Q. 

Proof. It is enough to show that the relation 

* = {((TK' I * a - p UI\QT I * fl -e)) I m > o, (Pi,Q.) e«a} 

l i 

where P n is a shorthand for the parallel composition of n copies of P and Yl t Pi stands for 
Pi | • • • \P n | • • • , is a weak asynchronous bisimulation up to ~. 
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The proof proceeds as usual, by showing that every transition of the left term can be 
matched by a transition of the right one (and vice-versa), and the pair composed by the ar- 
rival processes is in . The proof is straightforward by a simple case analysis of transitions, 
as defined in Proposition 1 . The most involved case is when a communication occurs between 
two subprocesses, let's say Pj and P#. Suppose Pj—^P'j and Pk^P' k . This means that, by Propo- 
sition 1 (COM): 

dpr i *«-p)-(n^i p ?"Vr 1 ip;i^i . 

' ¥j, k 

By P k w a Qk we know that Qk^Q'k with P' k & a Q' k . We distinguish the following cases for Qf. 
Qj=>Q'j- in this case Q'j m a P 1 - and, by Proposition 1 (COM): 

(II Q? I * «-Q)M n QT I e V I er 1 1 e; I & I * «-e) = ^ 

and (Ri,R 2 ) G ^ by definition of 
Qi^Q'j'. this means that, by Proposition 1 (PAR): 

01 G? ' I * a-Q)MU Q? 1 6 \Q'j\*a.Q)=R 2 

and we have to show that R\ \ Ylbedb ~a Ri- We distinguish two cases: 
a e 8: from P, « a we obtain that Pj \ I\beQ\ab ~a Q'j- Moreover, remembering that 
P'k ~a Q'k, we have (by definition of 

(n^'l^Vr>;i n^\*a.p)^{\{Q7\QT'\Q7~ l \Q)\Q'k\^.Q) 

¥J, k beQ\a #j,k 

but a ~ a a, thus we also have (again by definition of HQ 

( n V \ p l ri K k ~ 1 1^; I n *I3 I « I ***)*.{ n # I e 1 er 1 1 g} l el I s i *a.Q) 

#j,k b€Q\a #j,k 

by Proposition Al, a \ Q' k ~ g^, thus 

( n f i^r 1 if 1 13 i x\b\p' k \ *a.p)*. ~ (uq? i qV i i *«-g) . 

a^Q: from Pj w a we obtain that Pj | Ilbee b ~ a Q'j \ a. Moreover, remembering that 
P'k ~a Q'^ we have (by definition of ?0 : 

( n p T \ p T l \ p r l \ p 'i I IW I * a - p ^ ( n er l e r 1 1 er 1 l e; l « l el I *«.e) 

by Proposition Al, a 1 2^ ~ g^, thus 

( n p T \ p T l \ p t k ~ l \ p 'i I Yl^\ p 'k\ - (I\Q? I Q V I Q'j I *«-G) • 

ij= j,k bee # j 

□ 
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Proposition A6 P « a Q implies VP : P|P « a Q \R. 
Proof. The proof proceeds by showing that the relation 

m = {{P\R,Q\R)\(P,Q) e«J 

is a weak asynchronous bisimulation up to ~. 

Suppose P\R-^S; by applying Proposition 1, we can distinguish the following cases ob- 
tained by applying Proposition 1 (PAR) or (COM): 

P Ap': S = P | R'; by Proposition 1 (PAR), Q \ P \ R' and (P \ R')%. (Q\R') by definition of 

PAP: fi = a and S = P' \R. By P w a Q we have 2=^2' with P' Q' . By Proposition 1 

(par), Q I R=^Q' | P and (P'|P)ft(<2'|P) by definition of 3?; 
P-V: p = 9 and S = P'\R. By P « fl g we have Q^g' and (P' | rLee'\e«) 

(ClILeexe'S)- 

By Proposition 1 (PAR), g P^g' |P and (P' \ FLee^a l#H (G' \ Uaee\e'a \ R ) follows 
_ from (P' | rLee'\ea) ~a {0! | rLee\e' «) and definition of 

PAP and P-^P': ^ = x and S = P' \R'. P « a g implies QAQ' and P' w a g'. By Proposi- 
tion 1 (com), g|P=>g'|P' and, by definition of (P' \R')%.(Q' \R'); 

P^>P' and PAP': n = x and 5 = P 1 \R'. P « a g implies that g4>g'. We consider the fol- 
lowing cases by distinguishing the possible values of 0: 

9 = {a}: in this case P' « a g'. By Proposition 1 (COM), g \ R => g' | P' and, by definition 

of^,(p'|p')^(e , |P'); 

otherwise: 2 |P^>g' |P by Proposition 1 (PAR); we have to prove that P'\R'\ Ilfoee^ ~ 
Q 1 1 P. We distinguish the following cases: 

a 6 0: from P « a g we obtain P' | Ilfoee\a ^ ~« G'> by definition of : 

p'i n &i*«e'i* 

Aee\a 

and by Proposition Al, P ~ P' | a, thus 

p , \R'\l\b~* a e'|P; 

foee 

a ^ 8: from P « a g we obtain P' | Ilfoee ^ ~a Q' I by definition of ^. : 

bee 

and by Proposition Al, P ~ P' | a, thus 

p'lp'in^^e'ip. 

foee 

□ 

Proposition A7 P ~ a Q implies Va, n > : P\" a m a Q\ n a. 
Proof. The proof proceeds by showing that the relation: 

^ = {(p\" +, «,eA" +J «) i« > o, (p,q) G« fl , p^p, e^e,} 

is a weak asynchronous bisimulation up to ~. We distinguish the following cases: 
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(HID):_.P,\ n+( ' a-^P' i \ n+i a is derived by P/Ap/, if a not appears in /j. By Lemma Al (1), 
P-^pAp/ implies pAp'-^P/. From P w a Q we obtain g4>g' with P' « fl Q' and by 
2-^2; and Lemma Al (2), Q'^Q'j and QjAQ'f, by Proposition 1 (HID),_ Qj \ n+ j 
a^Q'j\ n+j a. Finally, (Pl\ n+i a)t.(Q'j\ n+j a) because of P' « a Q', P'-^P/, g'-^g^ and 
definition of ; , 

(HIDAT): P a-V/ \"' a is derived by P^P\ with .6' = 9 W a m and «' = « + ;- 
m. By Lemma Al (1), P-^P,-^P/ implies P-^P'-^P/. By P « fl g, gXg' with 
(P | rif>ey\e'^) ~a (6' I IlfoGe'\y^)- Suppose Y = yl±)a m and, without loss of generality, 
that m' > m. We can rewrite P' | Ilfoey\e'^ as P' I a m '~ m | Ekef^ and Q' I n&ee'\y ^ as 
Q' I ILee^ thus 

(p'ia'"'- ffl i \\b)~ a {Q'\ Y[b). 

bey\8 b£&\y 

Moreover, by Lemma Al (2), gXg' and Q^Qj imply Qj^Q'j and Q'^Q'f by Propo- 
sition 1 (HIDAT), Qj\ n+J a^Q'j\ n+ j- m ' a. 

We have to relate the processes P\ \ n +i- m a \ Ubey\db and Q'j \ n +i~ m ' a | UbeQ\y^- 
By Proposition 1 (hidOut), (P' | a m '- m \ Ubey\eb) \ n ~ m ' a^(P/ 1 Ubey\eb) \ n+i -' n a and 
(Q' I n fee e\ T ^) \"- m ' aMQ'j I FL e e\ T £)_\' ,+ -'- m ' «; thus from (P' | a" 1 '"- | liberty « fl 
(2' I ILee\ T *0 we obtain ((P? | IL^e*) \" +, " m «)* ((2'/ 1 IL e e\ y *) \" +J - m ' a), that is 
P/ a | n, eT \e * ~ ^ ~ 6 ■ \" +i " m ' « I n fcg e\rfe. by Proposition A2. 

(HIDOUT): P \ n+i a\pl \ n+i+l a is derived by P-^P/; P[ = P+i and by definition of 11 we 
have (P,- +1 a)H{Qj \ n+ i a). ' □ 

Proposition A8 Suppose a = rda or a = wt a. IfM ^ N then a.M ^ a.N. 

Proof. Consider the case a = rda . It suffices to show that 2^ Cic, where 

%. = {((rda.M) 0;e ,(rdaJV)o;e), ((retry) 0;£ , (retry) 0;£ )}U 
{{{M') C ; rda . 5 , (N') G;rda . 5/ ) | ((M') CT \ {a};5 , (AOa\M;S') e-, 

Wg\M;£ (^')a\{a};8 and (A^) \ {a};£ (iV)o\ {o}; y}. 

Note thatM implies 8 =o\{a} 8', thus rda. 8 = rda. 8'. □ 
Proposition A9 If Mi mNi andM2 — N2 then Mi orElseM2 mNi orElseAf 2 . 
Proof. It suffices to show that C^, where 

£ = {((Mi orElseM 2 ) CT ;e,(M orElse JV 2 ) 0;£ )} 

U {((A orElsefi),(C orElse£>))|(Mi) 0;£ =>A, (M 2 ) 0;£ =>B, (M)a;e C, 

(Ar 2 )a; E ^A(A,C)e- (B,D)e-} 

U {(P,D)|(Mi) / ;£ =► (retry) CT / ;5 , (M) , ;£ => (retry) < ;6 <, (M 2 ) , ;£ =^B, 

(Ar 2 V ;e ^D,(B,D)e-} 

U {((end) « ;5 ,(end) // ;5 ,) | (Mi) a ,,. E => (end) ,,. s , (M) // ;£ => (end) „ ;5 ,}. 

Note that M; ±2 jV,-, for i = 1,2, ensures that, in case of successful termination, the resulting logs 
have the same effects. □ 
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Weak atomic bisimulation entails weak asynchronous bisimulation, but the inverse does 
not hold. E.g. atom(rda.wta.end) m a atom(end) but rda.wta.end^ end. 

Proposition A10 M implies atom(M) « a atom(AT). 

Proof. By contradiction, suppose that atom(M) 9^ atom(A^). This means that there, ^s a 8 such 
that at om(M) : > P, with P = FlfcewrfS) b, an d f° r every 8' such that atom(iV)= > Q, with 

Q = ri66WT(8')^ We h£lVe ( P I IlfeG(RD(8')\RD(8»^)_^« (2 I nfeGfRDf^VRDfS'))^)'™^ 1116 ™ 8 that 

there is an a such that (P| rL.e(RD(8')\RD(8)) &A and (Q | rL, 6 ( RD (8)\RD(8')) b ) A (or vice 
versa). 

By rules (atPass) and (atOk) and definition of A, atom(M)^=kp implies that there 

is a o such that (M) 0;£ =^> (end) 0;S >P. By definition of ^ there is a 8" such that (N) a - £ => 

(end) a;5 «, with 8 = c 8", that is o \ rd(8) W wt (8^ = a \ rd(8") W wt (8"). Thus by rules 
(ATPASS) and (atOk) and Proposition 1 atom(A^)=^=ig with Q = lLewT(8") ^- 

Suppose P = I\bewT(&)b-^> tms means that a 6 wt (8). From a \ rd( 8) W wt ( 8) = o\ 
rd( 8") th) wt ( 8") we obtain wt ( 8) = wt ( 8") W rd ( 8) \ rd( 8"), hence or Q = FLewx (8") ^ 

or n&e(RD(8)\RD(5")) b ~ *• 

Suppose a e (rd(8") \rd(8)), then wt (8") = wt (8) Wrd(8") \rd(8) implies that 
aGWT(8"), that is g A. 

In both cases we_ have a contradiction because we have assumed that 
(21 n&E(RD(8)\RD(8"))k) A- n 

We can now prove the main results of Section 4. 

Theorem Al (Theorem 1) Weak asynchronous bisimulation ss a is a congruence. 

Proof. The result follows by Propositions A4- A 10. □ 

Theorem A2 (Theorem 2) Weak atomic bisimulation ±2 is a congruence. 

Proof. The result follows by Propositions A8 and A9. □ 

B Proofs of laws in Table 4 

Laws in Table 4 are proved, as usual, by showing appropriate bisimulation relations. In the 
following cases %_ is the proposed bisimulation. In what follows a ^ o means that the name a 
does not appear in o and a" e o means that o contains n copies of a. 

(COMM) a.a'.M ±2 a'.a.M: Suppose a = rda and a' = rdb (the other cases are similar.) 
%. = {((rda.rd£.M) 0;£ ,(rd/?.rda.M) a;£ )} 

U {((rdfe.M) a;rda ,(rdfl.M) 0;rdfe ), ((M") a;rda . rdfc . 5 , (M") a ;rdb.rda.&) 

\a n ,b' n EO,n,m>0, (M) \ Kfo};£ => {M") a \ {aM , & } 
U {((retry) a;£ ,(retry) a;£ )|a,fo £ a} 

U {((retry) a;£ ,(rda.M) 0;rdi ,), ((retry) c;£ , (retry) 0;rdi) ), 

|a ^ o, fo m e a, m > 0} 
U {((rdfe.M) 0;rd£! ,(retry) 0;£ ), ((retry) 0;rd£! , (retry) a;£ ) 

|fl"eo,^O,«>0} . 
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(DIST) a.(M orElse N) ^ (a.M) orElse (a.N): Suppose M' = rda.(M orElse N) and 
N' = (rda.M) orElse (rda. AT). 

Hi = {((M')a ;e ,(JVV), ((M') CT;e ,(rda.M) a;e orElse (rda.N) a - e )} 
U {((retry) a;£ ,(retry) 0;£ orElse (rda .N) a;e ), 
((retry) 0;£ ,(rda.M) 0;£ orElse (retry) 0;e ), 

((retry) 0;£ ,(retry) 0;£ orElse (retry)„ ;e ), ((retry) 0;£ , (retry) 0;£ ) 
\a (f. a} 

U {((M orElse A^) 0;rda , (M) 0;rda orElse (A^) 0;rda ), 

((M')a;e,(M) a;rda orElse (rdaJV) 0;£ ), ((M')a ;e ,(rda.Af) 0;e orElse (A%;rda) 
| a" e a, n > 0} 

U {(A orElse {N) a - Tia A orElse (rdaJV) 0;e ) | (M) 0;rda =^A, a" G a, « > 0} 
U { ((M) 0;rda orElse B, (rda .M) 0;£ orElse B) \ (N) c;rda =>• B, a" £ O, n > 0} 
U {(A orElse B, A orElse B) | (M) 0;rda =4>A, (A^) 0;rda =^B, a" £ O, n > 0} 
U {(C,C)|(M) 0;rda ^(retry) 0;8 , (^V) 0;rda => C, a" £ a, n > 0} . 

(ASS) Mi orElse (M 2 orElse M 3 ) ±2 (Mi orElse M 2 ) orElse M 3 : 

ft = {((Mi orElse (M 2 orElse M 3 )) a;£ , ((Mi orElse M 2 ) orElse M 3 ) 0;£ ), 

((Mi) a;£ orElse (M 2 orElse M 3 ) 0;£ , (Mi orElseM 2 ) 0;£ orElse (M 3 ) 0;£ )} 
U { (A orElse (B orElse C), (A orElse B) orElse C), 

(A orElse (M 2 orElse M 3 ) c;£ , (A orElse (M 2 ) c;£ ) orElse (M 3 ) G;£ ), 
((Mi) a;£ orElse ((M 2 ) a;£ orElse C), (Mi orElseM 2 ) 0;£ orElse C), 
((Mi) a;£ orElse (B orElse (M 3 ) c;£ ), ((Mi) c;£ orElseB) orElse (M 3 ) c;£ ) 
|(Mi) 0;£ => A, (M 2 ) c;£ ^B, (M 3 ) c;£ C} 
U {((Af 2 orElse M 3 ) / ;£ ,(M 2 ) / ;£ orElse (M 3 ) c / ;£ ), ((Z) orElse £),£> orElse E) 

|(A*iV;e => (retry) / ;S , (M 2 ) c / ;£ =>D, (M 3 ) c , ;£ ^ E} 
U {(F,F)|(AfiV. e => (retry) / ;8 , (M 2 ) « ;£ => (retry) // ;8 /, (M 3 ) „ ;£ F} . 

(ABSRtI) a. retry i2 retry: suppose a = rda: 

ft = {((rda.retry) 0;£ ,(retry) 0;£ )} 

U {((retry) 0;rda ,(retry) 0;£ )|a n GO, n > 0} 
U {((retry) a;£ ,(retry) 0;£ )|fl ^ 0} . 
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(ABSRT2) retry orElse M^M^M orElse retry: 



%X = {((retry orElse M) 0;£ ,(M) 0;£ )} 

U {((retry) 0;£ orElse A, A), (A,A)\(M) c - e => A} 

%2 = {((M orElse retry) 0;£ , (M) 0;£ )} 

U {(A orElse (retry) 0;£ ,A)| (M) c;£ => A} 

U {((end) 0;8 ,(end) 0;8 )|(M) 0;£ ^ (end) 0;8 } 

U {((retry) 0;£ ,(retry) 0;5 )|(M) 0;£ ^(retry) 0;8 } . 



(ABSEND) end orElse M ^ end: 

%, = {((endorElseM) c;£ ,(end) 0;£ ),((end) 0;£ ,(end) 0;£ )} 
U {((end) 0;£ orElse A, (end) 0;£ ) |(M) 0;£ ^A} . 

(ASY) a.a K, a 0: 



(A-ASY) atom(rda .wta .end) « a 0: 

%, = {(atom(rda.wta.end),0), ({](rda.wta.end) a;£ |} rdfl . Mta . end ,0)} 



C Proof of Prposition 2 

In this section we show that laws in Table 4 can be used for eliminating redundant branches 
from an atomic expression and obtaining an equivalent expression in normal form (see proof 
of Proposition 2.) Some preliminary results are needed. 

The next proposition states that if K"s reads include K's then K 1 is bigger than K in our 
weak atomic preorder. 

Proposition CI Suppose K = A\. -- A n and K' =B\. - - .B m , with A^Bj ::= rda |wt a. If 
RV(K) C RV(K') then K □ K' . 

Proof. It is enough to observe that if (K') c - e => (end) c;8 then RD(K') C o (rules (ARdOk) 
and (ARdF)); thus RD(K) C o, and by (ARdOk) we get (K) - E => (end) 0;8 /. □ 



<H = {(a.a,0),(a,a),(0,0)} . 



U {(|(wta.end) a;rda |}; 
U {({|(retry) a;£ |} rdfl . wt 




0)|a"eo,n>0} 



(A-l) atom(rda .end) 



11 = {(atom(rda.end),fl), ({j(rda.end) a;£ |} rda . end ,a)} 
U {(fl(end) 0;rd 4 rdfl . end ,a), (0,0) \a n GO,n > 0} 
U {({|(retry) 0;£ |} rda . end ,fl)|fl ^ o} . 
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As a consequence of the previous proposition, we obtain that, in an orElse expression, 
a redundant branch, that is a branch which includes the reads of at least one of its preceding 
branches, can be eliminated. 

Proposition C2 Consider the expressions K\ , . . . , K n where, for i = 1 , . . . , n, Ki is of the form 
Ajj . • • • .Aj n , with Aij ::= rda|wta. If RD(Kj) Crd(A^), /or a jsuchthatO< j<n,then 

K\ orElse ••• orElse orElse K n i2 K\ orElse ••• orElse ,K"„_i . 

Proof. The proof proceeds by using Proposition CI, the fact that MUM 1 ^ M if and only if 
M □ M' (see pag. 13) and orElse 's rules in Table 3. □ 

As previously said, the proof of the following theorem show how to apply rules in Table 4 
for rearranging an atomic expression into an equivalent one in normal form. 

Proposition C3 (Proposition 2) For every expression M there is an expression M' in normal 
form such that M i2 M '. 

Proof. The proof proceeds by induction on the structure of M: 

M = end: M' = M = end; 

M = retry: M' = M = retry; 

M = a.N: by induction hypothesis, there is an N' in normal form such that N N' . By Propo- 
sition A8, a.N a.N', thus by choosing M' = a.N' we obtain M ±2 M'; 

M = N orElse N': by induction hypothesis, there are No and A^, in normal form, such that 
N-^No and N' ^2 Nq. By Proposition A9, M = N orElse N' ^ N orElse Nq. We choose 
M' by considering the following cases: 

- if A^o = retry we choose M' = N Q , because, by (absRt), retry orElse Nq ^ A^; 

- if A^o = A^O] orElse ... orElse No„ and Nq = N^ orElse ••• orElse N^, con- 
sider P = {j \k G {1, . . . ,n} : RD(AT J C rd(A/J )}. If P = this means that M' = 
Nq orElse A^q is in normal form. 

Otherwise, suppose P = {ji , . . . , ji } with f < j w for ;' < w; by applying Proposition C2 
and A9 and (ASS) at every step, we have 
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No orElse Aft 

m (by removing Nq. ) 

A^o orElse Aft orElse ••• orElse Aft orElse Aft orElse • • • orElse Aft 
±2 (by removing Aft^ ) 

Nn orElse Aft orElse ••• orElse Aft orElse Aft orElse ••• 
, orElse Aft 

(by removing Aft . 



orElse Aft orElse Aft orElse ••• orElse Aft 

0y 2 -i o 72+1 o„ 



U J3 



^ (by removing Aft^ ) 

An orElse Aft orElse ••• orElse Aft orElse Aft orElse ••• 
orElse Aft orElse Aft orElse ••• orElse Aft 

0j 2 -l 0j 2 + [ ();,_! 

orElse Aft orElse ••• orElse Aft 

U ; ; + l m 

= M' (that is in normal form.) 
In every case, M' ^ A^o orElse Aft, thus M^M'. □ 

D Proofs of Section 5 

Lemma Dl (Lemma 1) Assume that s' ^ s and P^>P', then there is a process P" such that 
p4p". 

Proof, s' ^ s means s' <q s, for some n > 0. The proof proceeds by induction on n. For n = 
we have s = s'. Suppose n > and s' if^ -1 s" ;<o s. The result follows by induction hypothesis 
if we show that P±>. We proceed by distinguishing the possible cases for s" ;<o s according to 
laws (T01)-(T04). 

(TOl) s" = rr' and s = r{a}r', thus s" =Jr l andl = Tar'. P=^. implies P=4>Pi=S>P2=4>, and by 

Proposition Al, Pi ~ P2 [a, that is P^P 2 \ a=>, hence P^=>; 
(T02)_ s" = rUa}r'_ and s = r{a}lr', thus s" ~ Tlar' and s = Talr'^ P=> implies 

p^p 1= ^ 2 4.p 3 4>, and by Proposition Al, Pi ~ P 2 \a, that is P=^P 2 \ a =^P 3 \ a =>P 3 4-, 

hence P=>; 

(T03)_ s" = rr' and s = r{a}ar', thus s" = rr' and is = Ta{a}r'. P=^ implies 
P=S>Pi=%P2=»P3=^, hence, by Proposition Al, Pi ~ P2 | a, that is P2 can synchronize with 
a and P=^-P 2 | a => P 3 4>, that is p4>; 

(T04) s" — {a{\- • • {a n } and 5 = {«i, • • • ,a„}, or viceversa; in this case s = s" by definition 
of" " □ 

Lemma D2 (Lemma 2) Consider two traces s and r. If there is a process Q such that 
O (s)=> =S>g then r^s. 
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Proof. The proof proceeds by induction on s. 

s = as': O (s) = a.o(s') and (s)==> implies 7 = ar' such that (s)-^*0 {$')=>■ By induction 

hypothesis, r 1 < s', hence by prefixing, r = ar'^ as' = s; 
s = {ai, ■ ■ ■ ,a„}s': o(s) = (l\ a e{a l ,-,a n }'^) I °( s ')- We have o(s)^, we can distinguish the 

following cases depending on 7: 

ai^r: by induction hypothesis, o(V)=5> implies r -< s' and by (TOl), r -< s' < 

{ax} ■ ■ ■ {a n }s' ><a {ai,-" ,a n }s' = s; 
a77,---a^"6r for J a, p --- ,a,J C {a,,-- - ,a„}: in this case 7 = T[a~ ■ ■ ■ Tkai^rJ+T and 

(V) n rk+ ^_ By induction hypothesis, r\ ■ ■ ■ r k+ \ < s': 

r = n{a h } • • • r k {a ik }r k+ i 

< {a,-; } • • • {flijn • • • r k+i (by (T02)) 
— { a h I " ' { a k} s> (by induction and prefixing) 

d {«!}•••{«„}/ (by (T01)and(T02)) 

o^o {avals' (by (T04)) 

= s; 

^T{ a i{ }'"^k{ a i k } r k+l 

r=n- -7k and o(s') > for {a i{ , ■ ■ ■ ,a iA .} C {a 1; ■ ■ ■ ,a„}: by induction 

hypothesis, r\af x - ■■r k ai k 'r k+ \ d: s' and: 

r = n---r k 

< ri{a h }aT l ---r k {a ik }-aT k r k +\ (by (T03)) 

< {a h }---{a ik }r ia ----r k a-r k+l (by (T02)) 

< {a (1 } • • • {a ik }s' (by induction) 

^ { ai }---{a n }s Q (by(T01)and(T02)) 
ohdo {ava n }s' (by (T04)) 

= s. 

a 

The proof of the full-abstraction theorem is standard (see e.g. [7]). 

Theorem Dl (Theorem 3) For all processes P and Q, P £ Q if and only ifP <€. may Q- 

Proof. Suppose P <^ may Q and P may O for any observer O we have to show that Q may O. 
P may O means that P \ 0^>, that is there exists a trace s such that and 0^>. P <^ may Q 
implies that there exists s' ^ s such that Q=>- s' ^ s implies s'w ^ sw. By Lemma Dl and 
0^> we get that 0=>. Hence, from Q=k> we obtain Q \ 0=>, that is Q may 0(P^ Q). 

i — v / may 

<=: Suppose PL q and we have to_show that there exists s ^ s such that 2=^- 
From f=4> and o(s)^- we have P| o(s)=5>, that is P may OJ^s). Hence Q may o(s), that 
is g |_0_(s)=>. Thus, there exists s' such that Q=> and o(s)=4>, and, by Lemma D2 and 
(s)=> we have s' ^ 5, that is F <C ma3 , Q. □ 
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Lemma D3 (Lemma 3) Assume M = Uiei.-n^' is an expression in normal form. For every 
index i in {1, . . . ,n} we have atom(M) ;a, — >* §(end) ..$M',Gi where G, = RD(Ki) = RD(8) 
a«c/WT(8) = wt (Ki). 

Proof. By definition of normal form. □ 

Corollary Dl Assume M = |J; 6 i..n^i is an expression in normal form. The possible behavior 
o/atom(M) can be described as at om(M) wr(r,-) b for every i G \..n where a, is the 

multiset RD(A" ( ). 

Proof. By Lemma D3, rule (atOk) and definition of A. □ 

We can prove now the main result of Section 5, that is that may-testing semantics is not 
able to distinguish the behavior of an atomic expression from the behavior of the corresponding 
CCS process. 

Theorem D2 (Theorem 3) For every expression M in normal form we have 
atom(M)~ mfl) ,[[M]]. 

Proof. The proof proceeds by using the alternative preorder instead of the may preorder; in 
what follows it is shown that: 

1. atom(M) < may [[M]]; 

2. [[M]] <^may atom(M). 

Remember that M is in normal-form, thus M = OrElse i= i n Ki and [[M]] = £i=i,...,« pQ]]. The 

two points are shown in what follows. 

1 . For proving that at om(M) <^ may [[M]] , we have to show that V* such that at om(M) there 
exists s' < s such that [[M]]^-. We distinguish the following cases for s: 

s = e: in this case we can choose s' = e; 

s = 8a,, • • - a,, with I > 0: by Corollary Dl, there is &j £ {1, . . . ,«} such that 8 = RD(Kj), 

RD(Kj) _ _ Ojj-gj, 

atom(Af)= > a\ \ ■ ■ ■ \ a m > 
with {a h ,--- ,a I; } C {«!,••• ,a m } = wt(Kj). 

Suppose KD(Kj) = {&!,•■■ ,^}. By definition, = b\.--- .b k .(al | • • • |a^) with 
{ai, • y ,a m } = WT (£;)• That is, if we choose the j-th summands of [[M]], we have 
[[M]]^> with s' = {bi} ■ ■ ■ {b k }a----a-, and by (T04) s' h^o s; 

2. For proving that [[M]] <C m ay atom(M), we have to show that Vs such that [[M]]^- there 
exists s' ^ s such that atom(M)^>. We distinguish the following cases for s: 

s = {b\} ■ ■ ■ {bk}: s contains only input actions, thus we can choose s' = £ < s and 
atom(M)^; 

s = {b{\ ■ ■ ■ {bk}a\- ■ -a^ with m > 0: in this case there is a j e {l,...,n} such that 
{b\,-- - ,b k } = Ro(Kj) and {a\,--- ,a m } C WT (Kj) (by definition of [[•]]). 
Suppose o = RD(Kj), by Lemma D3, atom(M);o ^end^Ux^M with RD(8) = 
RD(Kj) and WT (8) = WT (A)). This means that atom(M)=^n«e wT(ij) a J m at 
is (by (T04)) there is an s' = RD(8)aT- • -a^ o hd?o {^l} • ■■{bk}aj- ••(hn = s such 
that atom(M)=^>. □ 
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